freeipa

Clone
Source Code
GIT

#9422 Interrupt request processing in ipadb_fill_info3() if connection to 389ds is lost
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by jrische.

Closed: fixed
Reopen Issue

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 8): Bug 2214638

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

krb5kdc is crashing intermittently on the IPA server even after updating the packages to latest version.

This crash is due to the is_master_host() function[1], which is called in ipadb_fill_info3()[2] as part of the process to populate the PAC.

is_master_host() searches for a master host entry using ipadb_simple_search()[3], and interprets an error as the absence of master entry, and the absence of error as a the presence of a master entry. Hence, a connection error would be misinterpreted.

The crash occurs because in case ipadb_simple_search() faces a connection issue during the query, it will try to reset the connection to run the query again. But if it fails to reset the connection, it returns with an error code right away, leaving the LDAP context uninitialized. But, as mentioned above, is_master_host() won't handle this as an actual error. So the process in ipadb_fill_info3() will continue until the ldap_get_entry_controls() call, where the process crashes because of the uninitialized LDAP context.

[1] https://github.com/freeipa/freeipa/blob/release-4-9-12/daemons/ipa-kdb/ipa_kdb_mspac.c#L404
[2] https://github.com/freeipa/freeipa/blob/release-4-9-12/daemons/ipa-kdb/ipa_kdb_mspac.c#L695-L697
[3] https://github.com/freeipa/freeipa/blob/release-4-9-12/daemons/ipa-kdb/ipa_kdb_common.c#L169

Metadata Update from @jrische:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2214638
2 years ago

Issue linked to bug 2214638

Metadata Update from @jrische:
- Issue assigned to jrische
2 years ago

master:

  • c84c59c ipa-kdb: fix error handling of is_master_host()

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2214638,https://bugzilla.redhat.com/show_bug.cgi?id=2227831,https://bugzilla.redhat.com/show_bug.cgi?id=2227832 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2214638)
2 years ago

ipa-4-10:

  • fd32e6a ipa-kdb: fix error handling of is_master_host()

ipa-4-9:

  • b5793c8 ipa-kdb: fix error handling of is_master_host()

No need to backport to ipa-4-6, please see rationale in https://bugzilla.redhat.com/show_bug.cgi?id=2227832#c4

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Metadata Update from @abbra:
- Custom field changelog adjusted to Adjust error handling in MS-PAC processing code under high load. The fix should address krb5kdc crashes in a situation when a connection to LDAP server is severed.
a year ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
None
Adjust error handling in MS-PAC processing code under high load. The fix should address krb5kdc crashes in a situation when a connection to LDAP server is severed.
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.